Post navigation

Windows 8 Takes ASLR To The Next Level

Microsoft has recently released the latest version of Windows dubbed Windows 8. The operating system features, among other things, a new user interface called Metro, which has been fairly controversial. On top of the user interface Microsoft has taken serious efforts to improve security – Windows 8 includes a far stronger implementation of ASLR.

ASLR (Address Space Randomization)

Address Space Randomization, or ASLR for short, is an exploit mitigation technique invented by the PaX team. The idea is that attackers generally need to know where code is in a processes address space in order to carry out attacks. ASLR, as the name, randomizes the address space and makes it more difficult for attackers to exploit programs.

More Areas Randomized

One of the issues with ASLR is that if any area of address space isn’t randomized it can mean a full bypass for an attacker. Windows 8 now randomizes many new areas of the address space. Most significantly, all bottom up allocations (VirtualAlloc() VirtualAllocEx()) are now randomized, which closes up holes like this one. All bottom up and top down memory allocations being random makes the implementation of ASLR far better than in Windows 7.

One bypass of EMET 3.5 relied on a universal ASLR bypass using predictable pages and an information leak. Those (specific ones) are now gone.

Higher Entropy

ASLR randomizes allocations but if those randomized areas of memory are predictable an attacker can bruteforce their way to a useful area. Windows 8 has added significantly greater entropy to top down allocations and also added an opt-in feature titled High Entropy ASLR, which increases entropy across the board for all areas of address space. On a 64bit system it becomes unlikely that an attacker will bypass ASLR through bruteforcing as the address space is much larger – though this large address space is not necessarily enough.

Force ASLR

Another very significant feature of Windows 8 is native support for Force ASLR. As I stated above a single area of address space being predictable is often enough for an attacker to bypass ASLR entirely and Force ASLR is built to ensure that no areas can be predictable. Often times when we run a program we add plugins or third party extensions – a web browser binary extension for example, or a program that adds a context menu to explorer.exe – and these third parties may not have enabled ASLR on their software. On Windows 7 and previous this would have meant an attacker could predict that area of address space and bypassed ASLR but not on Windows 8. With Force ASLR enabled all non-ASLR modules injected into a process are forced to use ASLR as wellm thus ensuring the entire process is randomized.

The improvements don’t end there but those three have the largest impact (as well as no more USER_SHARED_DATA bypasses). It’s clear that Microsoft has put effort into making Windows 8 their most secure operating system yet. When mainstream programs begin to make use of these mitigation techniques attackers are going to be forced to start finding other avenues of attack.

But after I was doing a little bit of research, I realized that the USER_SHARED_DATA memory, shared between user and kernel mode, still exists in Windows 8. It is also statically mapped at 0xFFFFF78000000000 on Windows 8 x64 (See wdm.h, Line 16380, in Windows Driver Kit). Also this shared memory is still writeable and executable. Maybe I miss something or I just don’t understand but can you please explain to me, why USER_SHARED_DATA bypasses should not be possible anymore? Maybe you can contact me via mail.

When you find a static area of memory, it’s nice, but it isn’t a guarantee that you’ll be able to use it. You need to create your ROP payload. From what I understand the techniques used previously to make use of the static structure are no longer valid. You can no longer generate valuable ROP chains from it.

They reference that various pointers have been removed. Sounds like they either constify’d or stripped it all down to make it less useful to attackers.